Home
Insights
Blog

What Is a SOC 2 Audit? Understand the Process and What to Expect

Let’s Start with What SOC 2 Is Not

A Systems and Organization Controls 2 (SOC 2) examination is not a compliance engagement. An organization cannot be SOC 2 “certified.” This is a common misconception.

What SOC 2 Is

A SOC 2 examination is an attestation governed by the American Institute of Certified Public Accountants (AICPA). It provides assurance over specific risks a service provider poses to its customers. Management of the service provider asserts that its system and organizational controls are designed and operating effectively to mitigate risks tied to service commitments and requirements. A Certified Public Accountant then performs auditing procedures and provides an opinion on whether those controls are properly designed and operating as intended.

In simpler terms, a SOC 2 report communicates to customers that controls are in place and functioning to provide reasonable assurance that the organization is meeting its legal, regulatory, contractual, and service obligations.

Why SOC 2 Is an Attestation, Not a Certification

The benefit of SOC 2 being an attestation engagement is that the organization defines the scope of the system and services being reported on. This flexibility allows for a more customized and relevant report.

For example, a company may manage multiple applications but choose to report only on one that supports a specific industry with sensitive data or high availability requirements. SOC 2 does not require a minimum or maximum number of controls. The depth and breadth of controls depend on the specific risks the organization poses to its customers.

Trust Services Criteria

SOC 2 is based on the Trust Services Criteria issued by the AICPA. These criteria are divided into five categories:

  • Security (required for all SOC 2 reports)
  • Availability
  • Confidentiality
  • Processing Integrity
  • Privacy

The Security category is often referred to as the Common Criteria because it applies across the entire organization. The inclusion of other categories depends on the services provided and customer expectations.

Preparing for a SOC 2 Examination

Preparing for a SOC 2 examination can be complex and stressful. To simplify the process, here is a checklist of key steps:

1. Define Your SOC 2 Report Scope

  • Which customers will receive the SOC 2 report?
  • What services should be covered?
  • What systems and applications should be included?

2. Select Your Trust Services Criteria

Choose the criteria based on the scope of your report:

  • Security
  • Availability
  • Confidentiality
  • Processing Integrity
  • Privacy

3. Perform a Readiness Assessment

This can be done internally or with support from a partner like Asureti.

  • Identify the boundaries of the system. Consider which risks are owned and managed by your organization.
  • Identify subservice organizations (vendors) that materially affect your services. This leads to defining Complementary Subservice Organization Controls (CSOCs).
  • Identify risks outsourced to customers. This leads to defining Complementary User Entity Controls (CUECs).
  • Review or prepare policies that govern expectations based on your scope and selected criteria.
  • Identify controls implemented to address the Trust Services Criteria through inquiry and observation.
  • Perform testing to confirm that controls are not only implemented but also operational.

4. Remediate Gaps

Address any control or documentation gaps identified during the readiness assessment.

5. Retest Remediated Controls

After implementing new controls or documentation, perform operational testing to confirm effectiveness.

6. Select a CPA Firm

Choose a qualified CPA firm to conduct the SOC 2 examination.

Download Our SOC 2 Review Template

To help you get started, download our SOC2 template for a structured approach to scoping, readiness, and audit preparation.

download our SOC2 review template

Preparing for a SOC 2 Examination

Preparing for and completing a SOC 2 examination can be a daunting and stressful experience due to the complexity and breadth of the requirements and ensuring the scope is appropriate for the customer’s needs.  To help understand the process, here is a SOC 2 checklist of things an organization should consider in preparation for a SOC 2. 

1. Determine your SOC 2 report scope 

  • Which customers will be asking for and receiving the SOC 2 report? 
  • What services should be covered? 
  • What systems and applications should be covered? 

2. Select your Trust Services Criteria – this is based on the scope of the SOC 2 report 

  • Security
  • Availability 
  • Confidentiality 
  • Processing Integrity 
  • Privacy 

3. Perform a readiness assessment yourself or seek assistance from a provider like Asureti. This can be done internally or with the help of a trusted expert 

  • Identify the boundaries of the system.  A way to think about this is what risks are owned and managed by your organization.some text
    • Identify the subservice organizations (vendors) that have a material effect on providing your services.  Results in the determination of Complementary Subservice Organization Controls (CSOCs) 
    • Identify the risks you have outsourced to your customers.  Results in the determination of Complementary User Entity Controls (CUECs) 
  • Review or prepare Policies to govern the expectations associated with the chosen scope and trust services criteria 
  • Identify through inquiry and observation the controls implemented to address the Trust Services Criteria 
  • Perform testing to determine whether the control has not only been implemented but is operational. 

4. Remediate any control or documentation gaps identified  

5. Perform implementation and operational testing of remediated gaps after confirmation that new controls or documentation is in place

6. Select a quality CPA Firm to conduct the examination